This lab analyzes Windows Security Event Logs collected from a Windows 10 virtual machine and ingested into Splunk. The goal is to identify authentication, privilege, and group activity patterns and interpret them from a SOC analyst perspective.
Data Source: Windows Security Logs
Index: security_lab
Sourcetype: _json
Host: SecurityLabVM
Evidence:
Multiple failed logon events (Event ID 4625) were observed in rapid succession for the same account and host.
Interpretation:
This pattern resembles a brute-force or misconfigured service repeatedly attempting to authenticate using invalid credentials.
Why it matters:
Repeated authentication failures can indicate credential guessing attacks or exposed services that attackers may exploit.
What I would do next:
- Correlate with successful logons (4624) for the same account.
- Check source network addresses for external or unexpected origins.
- Confirm whether the account is used by a legitimate service.
Evidence:
A significant number of successful logon events were observed.
Interpretation:
Represents normal authentication activity including interactive, system, and service logons.
Why it matters:
Establishes a baseline for normal behavior. Deviations such as logons at unusual times or from unexpected systems could indicate compromise.
What I would do next:
- Filter logons by time-of-day and account name.
- Identify logons following repeated failures.
Evidence:
Multiple instances of Event ID 4672 were observed, indicating special privileges assigned at logon.
Interpretation:
Accounts with administrative or elevated rights logged into the system.
Why it matters:
Privileged access is high-risk and commonly targeted by attackers for lateral movement and persistence.
What I would do next:
- Identify which accounts received privileges.
- Verify if access aligns with expected administrative activity.
Evidence:
Local group modification events were detected.
Interpretation:
Group membership or permissions were altered on the endpoint.
Why it matters:
Attackers may modify local groups to escalate privileges or maintain persistence.
What I would do next:
- Identify which group was modified and by whom.
- Verify whether the change was authorized.
Evidence:
Group membership enumeration events were observed.
Interpretation:
A user or process queried group memberships, often part of reconnaissance.
Why it matters:
Reconnaissance activity can precede privilege escalation or targeted attacks.
What I would do next:
- Correlate with suspicious logon or privilege events.
- Check which process or account initiated the enumeration.